Bandit23->24
Level Goal
A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!
NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…
Commands useful to solve the level
Helpful Reading Material
- File Permissions
- Filename Expansion
- Looping Constructs
- Conditional Constructs
- Shebang Unix
- Can a file that is executable be read ServerFault Discussion
- How does the #! shebang work ? StackOverflow Discussion
- Shell script working without shebang, why? StackOverflow Discussion
- Execute vs Read bit. How do directory permissions in Linux work UnixStackexchange Discussion
Where to start?
The goal of this level, is to have you write your first shell script (if you didn't write one before). Even though the shell scripts we're going to write in this level are pretty simple, I think it is a very good occasion to learn more about File Permissions so that after beating this level you'll understand deeply what they mean and how to set them properly.
Info
On a more personal note, even though I did a lot of bash scripting before, and thus thought that this level would be a piece of cake, it took me 3 days to figure out the solution to that level. Not because I couldn't write a script but because I never cared that much about file permissions so you can trust me, I'll set you on the right track for thinking about file permissions in a Linux environment.
For the script retrieval, as with the previous level, I'll let you see the level 21 and then come back when the script is in front of your eyes.
Part 1 : Script analysis
In this first part, we're going to analyse the script in order to know what it is about and how to use it to retrieve the password for the next level.
Hint
Using the useful commands and the helpful reading material, can you figure out what the script does?
Solution
We already know from the previous level that the script changes the directory to
/var/spool/bandit24/foo as bandit24 is the value contained in the myname variable.
The script then executes as follows :
- for all the files and the hidden files in the directory, it executes a loop (see Filename Expansion for more explanations about how the patterns are matched).
- In this loop, if the filename is not '.' or '..', then it does the test that follows.
- The call to the stat command only prints the username of the owner of the file. So if the owner is bandit23 (which is us), it runs the following command.
- The call to the timeout utility runs the script for at most 60 seconds and then sends a SIGKILL signal to the script to ensure it stops.
- Regardless of whether the script was executed or not, the script is removed, which means that the directory ends up being totally empty at the end of the cronjob execution.
Part 2 : Creating a basic script
Now that we know what the program does, we understand that we just need to create a script and put it in the right folder (which is /var/spool/bandit24/foo) and if properly written it will give us the password for the bandit24 level.
Hint
Using the previous level, can you design a simple script to print bandit24 password in a way we can retrieve it? Recall that all output is redirected to /dev/null, which means you may have to create a file where bandit24 will be able to write the password to.
Solution
For this basic script, we'll copy the model of bandit22. This means that we'll write a simple script that prints the password to a custom file. Here is the script we'll use :
#!/usr/bin/env bash
filename="$(echo Hello my fellow mates | md5sum | cut -d ' ' -f 1)"
cat /etc/bandit_pass/bandit24 > /tmp/${filename}
script (but you can use any name you want)
and copy this file to the proper location, which is /var/spool/bandit24/foo.
We will then run a for loop to check for the script presence in this folder
(in order to know whether or not the script has executed and to see if it has done what we want)
- First, we're going to go in a temporary directory
(with
cd "$(mktemp -d /tmp/hello_fellow_mates.XXXXXXXXXX)") Don't worry about the funny name template, I just though it was funnier that just using tmp everytime - Then we are going to write our script to a file called
script - Then we are going to run the following commands :
The last part allows us to monitor (using the
cp script /var/spool/bandit24/foo/script echo -n Waiting for cronjob while stat /var/spool/bandit24/foo/script >& /dev/null ; do echo -n . ; sleep 1 ; done echo -e '\n'cronjob executedstatcommand that returns true if it found the script at the specified location) the script and see when it is executed (thus meaning that we should expect an output).
Part 3 : Setting the proper file permissions
Once the cronjob has executed, when we try to run
cat /tmp/"$(echo Hello my fellow mates | md5sum | cut -d ' ' -f 1)", we see the following output :
bandit23@bandit:/tmp/hello_fellow_mates.1JNCwI8su9$ cat /tmp/$(echo Hello my fellow mates | md5sum | cut -d ' ' -f 1)
cat: /tmp/af1eebe9db8a5242b192026716ddde8f: No such file or directory
bandit23@bandit:/tmp/hello_fellow_mates.1JNCwI8su9$
Bug
Wtf Shelltief, you told us that this script was working?!
Well, bear with me because it is. The only thing we need is to give bandit24 the permission to execute it. Until now, it was not executing because bandit24 wasn't granted the rights to run the script, thus deleting it without even running it.
Hint
By reading the File Permissions section of the gnu coreutils documentation, can you figure out how to set the right file permissions for the script to actually execute?
Solution
Lets run a quick stat on our script file. We will run the following command :
stat -c '%A Uid: (%u/%U) Gid: (%g/%G)' script
-rw-rw-r-- Uid: (11023/bandit23) Gid: (11023/bandit23)
By running the following command :
chmod o+x script
cp script /var/spool/bandit24/foo/script
echo -n Waiting for cronjob
while stat /var/spool/bandit24/foo/script >& /dev/null ; do echo -n . ; sleep 1 ; done
echo -e '\n'cronjob executed
cat /tmp/"$(echo Hello my fellow mates | md5sum | cut -d ' ' -f 1)",
we can see the password printed to stdout.
Full Solution
cd "$(mktemp -d)"to change directory to a temporary directoryecho -e "#!/usr/bin/env bash\ncat /etc/bandit_pass/bandit24 > /tmp/\"$(echo Hello my fellow mates | md5sum | cut -d ' ' -f 1)\" > script"to create the script that we'll use to print the password in our dedicated file.chmod o+x scriptto give bandit24 permission to execute the scriptcat /tmp/"$(echo Hello my fellow mates | md5sum | cut -d ' ' -f 1)"to retrieve the password
Bonus : Creating a file inside the directory
We learned how to create a file to store the password in, let's now go one step further and see whether or not we can figure out how to create a script that creates a file containing the password within our temporary directory.
Hint
Using what we did before and the Helpful Reading Material, can you figure out a way to write a script that will be able to create a file in our temporary directory? You will have to make another call to chmod to get all the file permissions right.
Solution
Here is our script :
#!/usr/bin/env bash
cat /etc/bandit_pass/bandit24 > /tmp/hello_fellow_mates.1JNCwI8su9/bandit24_pass
Let's run a quick stat, but this time on our directory :
bandit23@bandit:/tmp/hello_fellow_mates.1JNCwI8su9$ stat -c '%A Uid: (%u/%U) Gid: (%g/%G)' .
drwx------ Uid: (11023/bandit23) Gid: (11023/bandit23)
bandit23@bandit:/tmp/hello_fellow_mates.1JNCwI8su9$
chmod on our directory to set the right permissions :
chmod o+wx .
/var/spool/bandit24/foo directory, we will see
the file bandit24_pass created after the cronjob execution.
You can now jump to the next level